Advanced - SSL options

Use the Global > Advanced > SSL Options screen to set advanced SSL options on AMD Classic 12.4.x.

Note

These settings apply only to AMD Classic 12.4.x, not to later AMD/NAM Probe releases.

You can define new alert codes, change predefined common SSL alert codes, and decide which alert codes should be taken into account when calculating the failures (transport) metric.

Overview

By default, the most commonly used alert codes are already defined and divided into three groups:

  • SSL Alerts A
    10, 20, 21, 22, 30, 40, 49, 50, 51, 60, 70, 71, 110
    This group is shown on NAM reports as SSL Error 1, named SSL session fatal error by default.
  • SSL Alerts B
    41, 42, 43, 44, 45, 46, 48, 111, 112, 113, 114, 115
    This group is shown on NAM reports as SSL Error 2., named SSL handshake fatal error by default.
  • SSL Alerts N
    All alerts not in group A or B. This group is shown on NAM reports as Other SSL Errors, named SSL warnings by default.

Using advanced options

Use the SSL Failures table to indicate the codes that should be reported as failures (transport).

  1. Select the Report server name from SSL certificate check box to enable the NAM Probe to extract the names from SSL certificates.

    These names are included with the monitored data along with the SSL setup time, protocol, and cipher.

  2. Right-click and select Add or Delete to add or delete the SSL alert codes in the SSL Failures table. You can also choose the source of alert code to trigger an SSL failure (server, client, or both).

If the NAM Probe is connected to CAS, SSL errors can be given customized names on the report server side. For more information, see Defining SSL error names.

SSL alerts the AMD can recognize

SSL alert name SSL alert code Description
close_notify 0 Notifies the recipient that the sender will not send any more messages on this connection.
unexpected_message 10 Received an inappropriate message This alert should never be observed in communication between proper implementations. Fatal.
bad_record_mac 20 Received a record with an incorrect MAC. Fatal.
decryption_failed 21 Decryption of a TLSCiphertext record is decrypted in an invalid way: either it was not an even multiple of the block length or its padding values, when checked, were not correct. Fatal.
record_overflow 22 Received a TLSCiphertext record which had a length more than 2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than 2^14+1024 bytes. Fatal.
decompression_failure 30 Received improper input, such as data that would expand to excessive length, from the decompression function. Fatal.
handshake_failure 40 Indicates that the sender was unable to negotiate an acceptable set of security parameters given the options available. Fatal.
no_certificate_RESERVED 41 Sent by a client to indicate that the client does not have a proper certificate to fulfill a certificate request from the server. This alert description is no longer used by TLS (now the client sets an empty certificate message if the client does not have a proper certificate).
bad_certificate 42 There is a problem with the certificate, for example, a certificate is corrupt, or a certificate contains signatures that cannot be verified.
unsupported_certificate 43 Received an unsupported certificate type.
certificate_revoked 44 Received a certificate that was revoked by its signer.
certificate_expired 45 Received a certificate has expired or is not currently valid.
certificate_unknown 46 An unspecified issue took place while processing the certificate that made it unacceptable.
illegal_parameter 47 Violated security parameters, such as a field in the handshake was out of range or inconsistent with other fields. Fatal.
unknown_ca 48 Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. Fatal.
access_denied 49 Received a valid certificate, but when access control was applied, the sender did not proceed with negotiation. Fatal.
decode_error 50 A message could not be decoded because some field was out of the specified range or the length of the message was incorrect. Fatal.
decrypt_error 51 Failed handshake cryptographic operation, including being unable to correctly verify a signature, decrypt a key exchange, or validate a finished message.
export_restriction 60 Detected a negotiation that was not in compliance with export restrictions; for example, attempting to transfer a 1024 bit ephemeral RSA key for the RSA_EXPORThandshake method. Fatal.
protocol_version 70 The protocol version the client attempted to negotiate is recognized, but not supported. For example, old protocol versions might be avoided for security reasons. Fatal.
insufficient_security 71 Failed negotiation specifically because the server requires ciphers more secure than those supported by the client. Returned instead of handshake_failure. Fatal.
internal_error 80 An internal error unrelated to the peer or the correctness of the protocol makes it impossible to continue, such as a memory allocation failure. The error is not related to protocol. Fatal.
user_canceled 90 Cancelled handshake for a reason that is unrelated to a protocol failure. If the user cancels an operation after the handshake is complete, just closing the connection by sending a close_notify is more appropriate. This alert should be followed by a close_notify. Generally a warning.
no_renegotiation 100 Sent by the client in response to a hello request or sent by the server in response to a client hello after initial handshaking. Either of these would normally lead to renegotiation; when that is not appropriate, the recipient should respond with this alert; at that point, the original requester can decide whether to proceed with the connection. One case where this would be appropriate would be where a server has spawned a process to satisfy a request; the process might receive security parameters (key length, authentication, and so on) at start-up and it might be difficult to communicate changes to these parameters after that point. Always a warning.
unsupported_extension 110 Sent by the client if the ServerHello does contain an extension that the client did not requested in his ClientHello. Fatal.
certificate_unobtainable 111 Sent by the server to indicate that the server cannot obtain a certificate from the URL the client has sent within a ClientCertificateURL extension. Possibly fatal.
unrecognized_name 112 Sent by the server if the server does not recognize a server name included in the ServerNameList extension received from the client. Possibly fatal.
bad_certificate_status_response 113 Sent by the client if the client gets an invalid certificate status response after having sent a CertificateStatusRequest extension. Fatal.
bad_certificate_hash_value 114 Sent by the server if a certificate hash value does not match to the corresponding value received within a ClientCertificateURL extension message, Fatal
unknown_PSK_identity 115 Indicates that the server does not recognize the PSK identify sent by the client. Fatal
other ? Other.